Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Mega Bug Bounty Makes First Payouts

Week one of the Mega cloud storage service bug bounty is in the books and at least three payouts have been made. Controversial entrepreneur and MegaUpload founder Kim Dotcom made the challenge last week offering a €10,000 reward to anyone who could break the encryption protecting the service.

Week one of the Mega cloud storage service bug bounty is in the books and at least three payouts have been made. Controversial entrepreneur and MegaUpload founder Kim Dotcom made the challenge last week offering a €10,000 reward to anyone who could break the encryption protecting the service. Six levels of vulnerabilities were described, each with different rewards. According to a Twitter post yesterday, a €1,000 payout was made to Frans Rosen for a cross-site scripting bug he discovered. The NextWeb, meanwhile, reported that Dotcom confirmed to them three payouts have been made so far.

Seven bugs were reported and patched, Dotcom wrote on a blogpost this week. The most serious were a missing x-frame options header that put the site at risk to clickjacking, as well as a missing HTTPS header.

A cross-site scripting vulnerability was reported in strings passed from the site’s API server to a download page via three vectors, the post said. An attacker would need access to the server, or conduct a man-in-the-middle attack to exploit this flaw.

Three other less serious cross-site scripting bugs were fixed; one through file and folder names, another on the file download page and a third in a third-party component.

The final bug was an invalid application of a CBC-MAC encryption algorithm used as an integrity check on active content.

“No static content servers had been operating in untrusted data centers at that time, thus no elevated exploitability relative to the root servers, apart from a man-in-the-middle risk due to the use of a 1024 bit SSL key on the static content servers,” the post said of possible mitigating factors.

The vulnerability classifications as established by Mega range from low-impact or theoretical attacks, to cross-site scripting, remote code execution on clients and Mega servers, crypto design flaws, and exploitable crypto design flaws.

“It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction,” the post said, adding that the bounty will continue.

Mega is a stand-in service for MegaUpload, which was shuttered by the U.S. government and New Zealand authorities for copyright infringement violations. Dotcom was at the center of controversy at the time of the shutdown, which prompted a number of attacks, including a high profile DDoS attack against the U.S. Department of Justice, reportedly by members of Anonymous.

The MegaUpload shutdown was prompted by allegations that the site was illegally hosting copyrighted content such as movies and music and that the company knew of the problematic content and did nothing to remove it.

Upon the launch of Mega, security experts began criticism of the site’s browser-based encryption and claimed it was weak, reports said. Dotcom challenged the critics via the institution of the bug bounty.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.